1184699 – (CVE-2021-3465) VUL-0: CVE-2021-3465: p7zip: NULL pointer dereference in NCompress:CCopyCoder:Code function

Bug 1184699 (CVE-2021-3465) - VUL-0: CVE-2021-3465: p7zip: NULL pointer dereference in NCompress:CCopyCoder:Code function

Summary: VUL-0: CVE-2021-3465: p7zip: NULL pointer dereference in NCompress:CCopyCoder...

Status:	RESOLVED FIXED

Alias:	CVE-2021-3465

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/281621/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-3465:4.0:(AV:L...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2021-04-14 07:05 UTC by Alexander Bergmann
Modified:	2024-07-18 18:08 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
reproducer zip file (242 bytes, application/zip) 2021-04-14 07:07 UTC, Alexander Bergmann	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2021-04-14 07:05:38 UTC

rh#1942677

In p7zip-17.03, the function NCompress::CCopyCoder::Code in CPP/7zip/Common/StreamObjects.cpp will call outStream->Write where a memcpy uses a NULL pointer as destination address, leading to a crash.

Reference:
https://github.com/jinfeihan57/p7zip/issues/130

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1942677
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3465

Comment 1 Alexander Bergmann 2021-04-14 07:07:53 UTC

Created attachment 848338 [details]
reproducer zip file

https://github.com/jinfeihan57/p7zip/files/6182176/null1.zip

The reproducer is working in SLE-15 and SLE-15-SP2. It looks like that SLE-12 is not affected.

# 7z l -slt null1.zip 

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel Xeon E312xx (Sandy Bridge, IBRS update) (206A1),ASM,AES-NI)

Scanning the drive for archives:
1 file, 242 bytes (1 KiB)

Listing archive: null1.zip

/usr/bin/7z: line 2:  3614 Segmentation fault      (core dumped) "/usr/lib64/p7zip/7z" "$@"

Comment 3 Markéta Machová 2021-04-30 11:30:28 UTC

Fixed python-pyxdg is on its way to Factory. Closing.

Comment 4 Markéta Machová 2021-04-30 11:32:12 UTC

Oops, sorry, wrong bug. This one I am giving back to security, since my work is done.

Comment 5 Swamp Workflow Management 2021-05-04 19:23:31 UTC

SUSE-SU-2021:1491-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1184699
CVE References: CVE-2021-3465
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    p7zip-16.02-14.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    p7zip-16.02-14.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Swamp Workflow Management 2021-05-08 01:17:26 UTC

openSUSE-SU-2021:0684-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1184699
CVE References: CVE-2021-3465
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    p7zip-16.02-lp152.8.3.1